Chapter 4 Enhancing Security 67
5 If you override the defaults, provide the following information in the next few screens:
A unique serial number for the root certicate Â
The number of days the CA functions before expiring Â
The type of user certicate this CA is signing Â
Whether to create a CA website for users to access for CA certicate distribution Â
6 Click Continue.
7 Provide the Certicate Assistant with the requested information and click Continue.
You need the following information to create a CA:
An email address of the responsible party for certicates Â
The name of the issuing authority (you or your organization) Â
The organization name Â
The organization unit name Â
The location of the issuing authority Â
8 Select a key size and an encryption algorithm for the CA certicate and then click
Continue.
A larger key size is more computationally intensive to use, but much more secure. The
algorithm you choose depends more on your organizational needs than a technical
consideration.
DSA and RSA are strong encryption algorithms. DSA is a United States Federal
Government standard for digital signatures.
9 Select a key size and an encryption algorithm for the certicates to be signed,
and then click Continue.
10 Select the Key Usage Extensions you need for the CA certicate and then click
Continue.
At a minimum, you must select Signature and Certicate Signing.
11 Select the Key Usage Extensions you need for the certicates to be signed and then
click Continue.
Default key use selections are based on the type of key selected earlier in the Assistant.
12 Specify other extensions to add the CA certicate and click Continue.
13 Select the keychain “System” to store the CA certicate.
14 Choose to trust certicates on this computer signed by the created CA.
15 Click Continue and authenticate as an administrator to create the certicate and
key pair.
16 Read and follow the instructions on the last page of the Certicate Assistant.
You can now issue certicates to trusted parties.
